如何删除ASP.Net MVC默认HTTP标头?

时间:2010-08-05 19:45:05

标签: asp.net-mvc security http-headers

我正在使用的MVC应用程序中的每个页面都在响应中设置这些HTTP标头:

X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0

如何防止这些出现?

11 个答案:

答案 0 :(得分:253)

X-Powered-By是IIS中的自定义标头。自IIS 7起,您可以通过将以下内容添加到web.config

来删除它
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

此标题也可以根据您的需要进行修改,有关详细信息,请参阅http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders


将其添加到web.config以删除X-AspNet-Version标题:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

最后,要删除X-AspNetMvc-Version,请修改Global.asax.cs并在Application_Start事件中添加以下内容:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
}

您还可以通过Application_PreSendRequestHeaders中的Global.asax.cs事件在运行时修改标头。如果您的标头值是动态的,那么这很有用:

protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
      Response.Headers.Remove("foo");
      Response.Headers.Add("bar", "quux");
}

答案 1 :(得分:102)

您也可以通过向global.asax文件添加代码来删除它们:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
   HttpContext.Current.Response.Headers.Remove("X-Powered-By");
   HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
   HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
   HttpContext.Current.Response.Headers.Remove("Server");
 }

答案 2 :(得分:49)

我在web.config中找到了此配置,该配置适用于在Visual Studio中创建的New Web Site...(而不是New Project...)。由于问题陈述了一个ASP.NET MVC应用程序,不是相关的,但仍然是一个选项。

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <clear />
      <remove name="X-Powered-By" />
    </customHeaders>
   </httpProtocol>
</system.webServer>

更新:此外,Troy Hunt还有一篇标题为Shhh… don’t let your response headers talk too loudly的文章,其中包含有关删除这些标题的详细步骤以及指向其ASafaWeb工具的链接,以便对其进行扫描,其他安全配置。

答案 3 :(得分:30)

Cloaking your ASP.NET MVC Web Application on IIS 7中所述,您可以通过将以下配置部分应用到web.config来关闭X-AspNet-Version标头:

<system.web> 
  <httpRuntime enableVersionHeader="false"/> 
</system.web>

并通过更改Global.asax.cs删除X-AspNetMvc-Version标头,如下所示:

protected void Application_Start() 
{ 
    MvcHandler.DisableMvcResponseHeader = true; 
}

Custom Headers 中所述,您可以通过将以下配置部分应用到web.config来删除“X-Powered-By”标头:

<system.webServer>
   <httpProtocol>
      <customHeaders>
         <clear />
      </customHeaders>
   </httpProtocol>
</system.webServer>

没有简单的方法可以通过配置删除“服务器”响应标头,但您可以实现HttpModule删除特定HTTP标头,如Cloaking your ASP.NET MVC Web Application on IIS 7how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7中所述。

答案 4 :(得分:25)

  

.NET Core

要删除 Program.cs 文件中的服务器标头,请添加以下选项:

.UseKestrel(opt => opt.AddServerHeader = false)

对于dot net core 1,在.UseKestrel()调用中添加选项。对于dot net core 2,在UseStartup()之后添加该行。

要删除 X-Powered-By 标头,如果部署到IIS,请编辑web.config并在system.webServer标记内添加以下部分:

<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>
  

.NET 4.5.2

要删除 global.asax 文件中的服务器标题,请添加以下内容:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        string[] headers = { "Server", "X-AspNet-Version" };

        if (!Response.HeadersWritten)
        {
            Response.AddOnSendingHeaders((c) =>
            {
                if (c != null && c.Response != null && c.Response.Headers != null)
                {
                    foreach (string header in headers)
                    {
                        if (c.Response.Headers[header] != null)
                        {
                            c.Response.Headers.Remove(header);
                        }
                    }
                }
            });
        }

    }
  

Pre .NET 4.5.2

将以下c#类添加到项目中:

public class RemoveServerHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.Headers.Remove("Server");
    }
}

然后在你的web.config中添加以下&lt; modules&gt;部分:

<system.webServer>
    ....
 <modules>
    <add name="RemoveServerHeaderModule" type="MyNamespace.RemoveServerHeaderModule" />
 </modules>

但是我遇到了子项目找不到这个模块的问题。不好玩。

删除X-AspNetMvc-Version标头

要删除“X-AspNetMvc-Version”标记,对于任何版本的.NET,请修改“web.config”文件以包含:

<system.web>
...
   <httpRuntime enableVersionHeader="false" />
...
</system.web>

感谢微软让这难以置信。或者也许这是你的意图,以便你可以跟踪世界各地的IIS和MVC安装......

答案 5 :(得分:7)

Removing standard server headers on Windows Azure Web Sites页上所示,您可以使用以下内容删除标题:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true"/>
    </security>
  </system.webServer>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
</configuration>

这将删除Server标头和X-header。

这在我在Visual Studio 2015中的测试中本地工作。

答案 6 :(得分:7)

在Asp.Net Core中,你可以像这样编辑web.config文件:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

您可以删除Kestrel选项中的服务器标头:

            .UseKestrel(c =>
            {
                // removes the server header
                c.AddServerHeader = false;
            }) 

答案 7 :(得分:2)

为了完整起见,还有另一种方法可以使用regedit删除Server标题。

See this MSDN blog

  

在以下注册表项中创建名为DisableServerHeader的DWORD条目,并将值设置为1.

     

HKLM \系统\ CurrentControlSet \服务\ HTTP \参数

我宁愿使用Web.config找到合适的解决方案,但使用<rewrite>并不好,因为它需要安装重写模块,即使这样它也不会真正删除标题,只是清空它。

答案 8 :(得分:1)

您可以在Application_EndRequest()尝试此

中更改任何标题或任何内容
protected void Application_EndRequest()
{
    // removing excessive headers. They don't need to see this.
    Response.Headers.Remove("header_name");
}

答案 9 :(得分:1)

IIS将X-Powered-By标头添加到HTTP响应中,因此您甚至可以通过IIS管理器在服务器级别删除它:

您可以直接使用web.config:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <remove name="X-Powered-By" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

答案 10 :(得分:0)

检查this blog 不要使用代码删除标头。根据{{​​3}}

不稳定

我对此:

<system.webServer>          
    <httpProtocol>
    <!-- Security Hardening of HTTP response headers -->
    <customHeaders>
        <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
        <add name="X-Content-Type-Options" value="nosniff" />

        <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                 By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                 Recommended value "x-frame-options: SAMEORIGIN" -->
        <add name="X-Frame-Options" value="SAMEORIGIN" />

        <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                 they should only read the master crossdomain.xml file from the root of the website. 
                 https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
        <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

        <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                 Recommended value "X-XSS-Protection: 1; mode=block". -->
        <add name="X-Xss-Protection" value="1; mode=block" />

        <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                 If you have sensitive information in your URLs, you don't want to forward to other domains 
                 https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

        <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
        <remove name="X-Powered-By" />

        <!-- Ensure the cache-control is public, some browser won't set expiration without that  -->
        <add name="Cache-Control" value="public" />
    </customHeaders>
</httpProtocol>

<!-- Prerequisite for the <rewrite> section
            Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
    <!-- Remove Server response headers (OWASP Security Measure) -->
    <outboundRules rewriteBeforeCache="true">
        <rule name="Remove Server header">
            <match serverVariable="RESPONSE_Server" pattern=".+" />

            <!-- Use custom value for the Server info -->
            <action type="Rewrite" value="Your Custom Value Here." />
        </rule>
    </outboundRules>
</rewrite>
</system.webServer>